Application of Data Collected by Endpoint Detection and Response Systems for Implementation of a Network Security System based on Zero Trust Principles and the EigenTrust Algorithm

• Main Authors: Kumar, Nitesh, Kasbekar, Gaurav S, Manjunath, D
• Format: Journal Article
• Language: English
• Published: 17.03.2022
• Subjects: Computer Science - Cryptography and Security; Computer Science - Networking and Internet Architecture
• DOI: 10.48550/arxiv.2203.09325

Traditionally, security systems for enterprises have implicit access based on strong cryptography, authentication and key sharing, wherein access control is based on Role Based Access Control (RBAC), in which roles such as manager, accountant and so on provide a way of deciding a subject's authority. However, years of post-attack analysis on enterprise networks has shown that a majority of times, security breaches occur intentionally or accidently due to implicitly trusted people of an enterprise itself. Zero Trust Architecture works on the principle of never granting trust implicitly, but rather continuously evaluating the trust parameters for each resource access request and has a strict, but not rigid, set of protocols for access control of a subject to resources. Endpoint Detection and Response (EDR) systems are tools that collect a large number of attributes in and around machines within an enterprise network to have close visibility into sophisticated intrusion. In our work, we seek to deploy EDR systems and build trust algorithms using tactical provenance analysis, threshold cryptography and reputation management to continuously record data, evaluate trust of a subject, and simultaneously analyze them against a database of known threat vectors to provide conditional access control. However, EDR tools generate a high volume of data that leads to false alarms, misdetections and correspondingly a high backlog of tasks that makes it infeasible, which is addressed using tactical provenance analysis and information theory.